[0:25] Insights From a CTI Expert on Emerging Threat Actors

Petko: Today we've got an interesting guest and I love it when we get technical. Today we're going to talk to Dmitry Bestuzhev and he's the Senior Director of Cyber Threat Intelligence at Blackberry. And prior to Blackberry, Dmitry was part of the head of Kaspersky's Global Research Analysis team where he oversaw the company's experts in anti-malware development.

Working in the region he's seen a lot of different things from a nation-state and how they attack, but he spent 20 years just in IT security and just different roles.

I'm excited today to talk to him and learn from him about this field of expertise and what we're learning in fraud and profile tax we're seeing in governments and everything. So, I'm going to pass it off to you, Dmitry. Anything I missed there that you want to share about your background or research? What are you currently working on?

Dmitry: Yes, thank you very much, Petko, and it's a pleasure to be here. Yes. Well, nowadays, it's so hard. You see the threat landscape is getting even more and more weird in terms of the threat actors. Also, tools or weapons they use, like financially motivated threat actors and nation-states, rely more and more on the same tooling.

So, that makes our life, like CTI researchers, a little bit harder because that line is really blurred right now, who's behind each attack. So we are tracking those attack targets worldwide, all the regions, doesn't matter if they speak Spanish, Russian, Chinese or English, or French language. 

Unveiling the Power of CTI

Dmitry: And we convert that knowledge or that information from the technical point of view into something actionable you can take. And can use very specific actions to test your capabilities and prevention, detection, response, and recovery. So that is about the work I do and my team we do together.

Petko: You're talking about cyber threat intelligence, right, Dmitry? What does that usually entail? I mean, we hear about threat intelligence and we think about speeds and fees, but I think it's more than that.

Dmitry: Absolutely.

Petko: How do you define CTI?

Dmitry: Well, CTI, it's a discipline or it's knowledge, let's say, which must be always converted into something actionable. And not only feeds, IRCs, hashes, and domains because you need the context. So if you want to have an effective CTI program, you need to know the context, which will help you to anticipate those attacks against you specifically, not against even the industry. 

That anticipation must be also very specific. Not only who will attack me and why, but how. How, is the question as well to answer? So, it's who, how, when, what, and all that information must be answered in a CTI report by means of different sections. Sometimes just high-level information, mid-level information, and very low-level information. And the idea is to convert it into those four subtypes of CTIs, strategical, tactical, technical, and also operational.

So all of them, board, system, network administrators, instant response teams, SOC or blue team defenders in general. They might have everything needed on their level to anticipate those attacks, to test their capabilities or to, is it the case over the board, to know what's coming? 

Harnessing CTI for Practical Protection and Detection Strategies
Dmitry: How much funds will we need? What are the risks versus impact? So it's not about traditionally speaking feeds and all those things we know every day. It's a part of it.

Petko: Is it about honestly informing the defense infrastructure for CISO or CIO, like, here's what we're seeing in the wild, do we have protections against that? Is that where you're focused on currently?
Dmitry: Yes. So we have attacks in the wild, right? So those attacks in the wild can't be seen as just like I say, oh, it's malware. Oh, it's been used that way, but who is behind it? Why? How? So that information is worked on and then transformed into reports.

Those reports are also connected to the industries, connected to the regions of the attacker's motivations. And then that information technical and also high-level information, yes, the companies they need to test first. Do they have protection? 
It means their products, the current products they use, are designed to stop those attacks. Yes or no? If not, can we detect it? It means do we have even visibility, enough visibility to say, okay, we can't protect, but we can detect because we'll have logs, yes or no.

Or maybe it's an attack, maybe it's a tool, maybe it's a technique used to, even out of protection scope by the customer. So all of that must be always practical, CTI must be practical. If it's not practical, it's not really about CTI. It's about malware analysis only.
Petko: Can you give us some recent examples of how organizations can use CTI to make it practical or how users can use it to make it practical?

Proactive Defense Strategies for Threat Hunting and Mitigation

Dmitry: Absolutely. So we've seen recently many attacks, the geopolitics, and the war in Ukraine. So the threat actors behind the targeting of Ukraine also began targeting NATO members by means of the personification of software. Which is used by NATO members supporting Ukraine.

So what we provide is to our customers, CTI customers, it's a document with the information. For example, a summary is about what happened, when, and how. 

And always the rule, it's bottom line up. Then brief Mitra Attack information. Then it's a technical analysis of weaponization and just a technical overview of the initial attack vector, about network infrastructure. That is about also targets and attributions along with conclusions.

Conclusions, so what should they do? And appendixes, technical appendixes. IOCs applied countermeasures and detailed MITRA Attack mapping. So for a real customer, it's like, okay, this is happening. I'm not sure even if I was attacked or not, let's do a threat hunting.

How? Okay, we got Sigma rules, we got Suricata rules. So we can see if on the endpoint level, like behavior, we see any matches based on the sigma rules or Suricata rules? All right, so let's go to the network level and see do we have any malicious traffic behavior on the malicious traffic, like the one described in this or that attack.

Or yellow rules. Okay, so what about files? Those files which are running in my system, is there any similarity, any connection?
So I can proactively hunt or if I know I was infected, I can respond to that act. But with the context, I know what I'm looking for, I know how it behaves.

I know what is the motivation, so I can mitigate it completely. 

[7:58] Leveraging CTI to Safeguard Personal and Corporate Frontlines

Dmitry: When I understand that, let's say, the target was government secrets or military secrets. So I should assume that if that information was compromised, the operations were also compromised, I mean in the field everywhere. So the countermeasures in this case for the recovery must be not just, oh, let's change the passwords or let's revoke the accesses. 

It's about understanding that the whole thing, probably, real-life things, was also compromised. So that helps to be very specific, and very concrete to take super good actions, which will have a positive effect in real life and in my cyberspace.

Petko: Dmitry, I'm thinking back to when I was operating a SOC, and we would take some of these reports and we would think we blocked it at the endpoint. And next, we actually didn't realize. But they had gotten to the active directory server and they've actually copied certain files that would release your username and passwords.

So we didn't just have to clean up one endpoint, we had to clean up all our usernames and passwords and reset them all with service accounts and everything. 

So I love it that you're working at the tip of the spear and just constantly seeing what's new. What's the latest? I know at the corporate level we're doing cyber threat intelligence.

Is there something that you're seeing around personal attacks or what, I mean we've got lots of folks traveling now. Is there something they should be aware of?

Protecting Your Devices with CTI in the Travel Ecosystem

Dmitry: Yes. And also that is another ecosystem with many threat actors targeting in different ways. So sometimes it can be just traditional speaking like financially motivated malware. It depends on the region where you're coming from.

So threat actors will also change. But for travelers, many times what we face is you are running low, your battery's running low. So it's very common to see people at the airport looking for a charging station and to plug your phone in and to be like, oh, it's like I have a paradise for your cell phone.

Petko: I can't plug my cell phone in. I got to get my juice. Why can't I plug in my cell phone and charge it?

Dmitry: Yes, you can. And everybody does that. But there is a risk, a real risk. It's not about theories, it's about something called juice jacking. 

So juice jacking, and it's a malicious technique that helps or enables the attacker by means of physical connections, through the use, be like cables connecting the device. It can be any device, it can be a cell phone, it can be Apple, it can be Android, whatever, or it can be a tablet.

But each time such a device is connected to that malicious station or compromised station. There is an opportunity for the attacker to not just charge the battery of the phone or tablet. But also by means of enabling data transfer mode to manipulate the device, steal something, to install something.

So it's about, it's dual use. It's not just charging batteries, it's about also straight access to the device for whatever malicious reason.

The Importance of CTI and Physical Data Blockers

Petko: Yes. Because I think most of us when we charge our phones, we'll let it sit there for a little bit, later on, we'll pick it up, I'll start using it, and unlock it. And by us unlocking it, I think I've seen this a couple of times, you get asked, do you want to grant access to this USB cable, let's say.

Dmitry: Indeed.

Petko: And you're like, well, of course, I want power. And sometimes you don't get power until after you grant access. But what you just did is you didn't just get power. You also now gave that USB cable and whatever's on the other end full access to your operating system on your phone and your contacts.

Potentially there and everything else that goes into it. Is that just for, I mean you mentioned it's also Android and iPhones, I guess it's all devices, right?

Dmitry: Yes. Actually, even if the phone is running on Linux, the thing will be the same because it's even a low-level attack first. So it's a physical cable unless you block specifically data transfer with blockers, special blockers.

Petko: Is that a physical blocker? 

Dmitry: Indeed. Yes.

Petko: So it's not software, it's something that you'd have to use between your phone or your device and the USB to ensure that only the power comes in and not the data. Okay.

Dmitry: Yes. So Sasha blocker, it's a must to have it with you when you're traveling, even if you're just connecting to, I don't know, inside of the aircraft. 

Mitigating Data Compromise Risks

Dmitry: Why not use that? Why even run the risk of exchanging your data with anything why? Because what you're looking for is not to synchronize anything. You don't want to synchronize anything. You want just electricity. So why run that risk, even to think that probably might be or might not, but your device would be sending or receiving data. It's like what for?

Petko: Dmitry, you just said something that I just didn't realize and I wonder if the audience caught on it. We always think about the airports and charging our phones there, but what about the airplane?

Dmitry: Well, you see those computers in front of us, sometimes people say, oh, it's an entertainment system or it's a just seat. It's something like that. But in reality, it's a computer. In the past, I saw those flying terminals running on Linux. Now we see more and more it's Androids behind it. So the question is can they be manipulated, or infected?

Yes, of course, they can. And in the end, it's an operating system so it can install stuff, it can copy stuff, so it can do things. 

So it's not about connecting yourself to the AC, just like pure AC. If you do that, it's fine. But if you connect through a USB cable to that system, you get to understand there is always a risk.

Petko: Yes. So it's almost like those ATMs. I mean I think years ago or probably still happening if you have these. They would put something on top of the machine that actually scans your ATM card or your credit card to get a copy of it. 

Safeguarding Passenger Connectivity and Data

Petko: But the same thing could happen on an airplane or in an airport where you think it's a regular USB power station, but they put something on top of it to hijack it. If you will. And it could be months before they realize it even.

Dmitry: Yes, indeed. And the problem is while you're flying, who knows if also another passenger is connected to the same network. I mean wifi network can be also a malicious threat actor. Just scanning the network trying to see who's connected.

So that computer which is in charge, one computer was in charge of the entertainment. It's also a host inside of the network to everybody's connected, even if it's a malicious traveler, let's call him like that. So it can be also compromised. And then who knows, what are the further actions, and next steps he or she may take,

Petko: I was just looking at the number of folks that are going through TSA security on a certain day. We're now back to pre-COVID. And it's about 2.5, 2.6 million a day that go through TSA security. Make the assumption that all of those end up on an airplane, now you have 2.6 million people sitting in airplane seats every single day. It just takes one of them to change one seat or two seats here and there and next, you know it's propagating.

Dmitry: Yes. And some probably would say, okay, but how to exfiltrate that data? Well, we have also internet on board. So there is a link so you can use it. So there are many ways, just not only to steal information but also to exfiltrate it for malicious threat actors. 

[16:00] How CTI Protects Personal Devices From Emerging Threats

Dmitry: So it's way better if we use just a traditional socket, like electricity, like AC sockets. So in fact we have them at the airport, we have them usually on the bottom of the seat, which is in front of you. So use them instead of USB, right.

Or if you use a USB cable, use a data blocker, a physical data blocker, which connects basically between that port between your cable and then it's a physical block. So the circuit, the electronic circuit, it's preventing data transfer in any direction.

Petko: So bring your own charger. If you don't have your own charger, bring your own blocker.

Dmitry: Yes.

Petko: Hopefully. Well, that's just, I mean I'm assuming that's just iPhone and Android. Are there other attacks you're seeing that are on other personal devices? I think you and I were talking about Mac OS has become much more prevalent. I mean, is that true?

Dmitry: Yes, it's true. And it's proven by telemetry. It's proven by the analysis we have. And essentially it's about targeting macOS users, especially those who invest in cryptocurrencies. And the main cluster behind it, it's the Lazarus Group, which belongs public attributed to North Korea, and there is a group called Apple Juice. They have been actively targeting macOS users by means of social engineering first, just sitting malicious, purely malicious. 

So websites on the internet providing supposedly information for exchange when someone wants to cash out or just convert the cryptocurrency into another cryptocurrency. Even security tools. So they do a very hard job. 

Safeguarding Users from Cryptocurrency Theft and Supply Chain Attacks

Dmitry: And even infecting people through LinkedIn, sending them CVs, and job offers to work like a cybersecurity expert and the cryptocurrency industry. And the point is that once infected, they steal those wallets. And for cryptocurrency investors, it's a real risk because the impact is everything. You can just lose all your investments, all your funds, just because your Mac is infected.

Petko: I can understand the financial motivation for the crypto side. Are there other things that they're looking for from the financial motivation standpoint?

Dmitry: Yes, that's a good example of that. It's the latest attack. We remember that it's a voice-over of a peak company, so they were compromised. And then a malicious update was deployed to everybody, basically everyone in the world.

And it was not only for Windows but also for Mac users. So we call it a supply chain attack, right? Again, it was North Korea behind it. 

So imagine even if you say, well, I don't have cryptocurrencies and I'm a very good security expert. But if you use any third-party app, and we use them, so we got to be ready for a supply chain attack. So when you receive an update, that update can be anything inside. So it's an implant, which can be used as a backdoor, it can be used like a, I don't know, a RAT, remote access tool. It can be anything. It depends on the motivation of the attacker.

Petko: Well, I'm curious, what can macOS users do to prevent these types of attacks? How do you safeguard it? Because you talked about updates. So I don't update or should I update?

Enhancing Visibility and Protection Against Compromised Updates and Implants

Dmitry: Well, yes, traditionally speaking, we always teach, right? People always say, yes, sure, install updates because that's how you fix vulnerabilities. And that is right. I mean that's cool, is right. It's not a mistake. We all need, we must install updates. But it's different when your software vendor or any software you use it was compromised.

Sometimes even in a fully automated mode, your update, it's not even something you accepted or not accepted, it's just automatic. 

It was installed on the side. So for macOS users, it's challenging. It's a challenge even compared to Windows users because on Windows we have so many tools. Even for hunting, for monitoring. On Mac, usually, it's internal commands, native commands. There are some tools also very well, nice tools by objectives, by the Sea company. It's also free. You can download it and use it. That's fantastic. But usually for those macOS users, it's really hard to find out if they're infected or not. So here is the combination of things. 

It's about using threat intelligence, yes, monitoring networks. Because in most cases, if you got any implant installed, of course, there should be communication with the C2, external C2. So get better visibility over the network. Your connections, especially outgoing connections, not incoming connections, but what is traveling from my computer to outside.

And have a context. Context about those hosts, IPs, and URLs, try to understand. Check, grab, and check also user agents, because if your computer is connecting, let's say, with a remote host, which you think is not malicious. 

CTI Proactive Measures and YARA Rules

Dmitry: But let's say there is a user agent in use, which does not belong to you, you don't have such a browser in your system. But it says this is the system, the user agent that uses it. So in this case, it'll be also a red flag.

Petko: So we just have to be proactive and know what's in our systems. I guess it goes back to knowing what's on your laptop, knowing what applications are doing there, and being paranoid.

Dmitry: Right. And the good thing, you can also use YARA rules on macOS. So you run them, it's the same. You can write or use those YARA rules not only for the disk but also for the memory, like commands. Those commands, which usually are malicious, it's very easy to spot in the memory because everything's unpacked. So it's also great. I would also recommend it.

Rachael: And I hate to do this, but we are at the end of today's podcast. This is such a great conversation with Petko and Dmitry that we are going to pick back up for part two next week. To all of our listeners out there, thank you so much for joining this week. And for our new listeners, welcome. And if you're enjoying the conversation, please subscribe. We're on all major podcast platforms. Until next week everyone, stay secure.

About Our Guest

Dmitry Bestuzhev is Senior Director, CTI (Cyber Threat Intelligence) at BlackBerry. Prior to BlackBerry, Dmitry was Head of Kaspersky's Global Research and Analysis Team for Latin America, where he oversaw the company's experts' anti-malware development work in the region. Dmitry has more than 20 years of experience in IT security across a wide variety of roles. His field of expertise covers everything from traditional online fraud to targeted high-profile attacks on financial and governmental institutions. His main focus in research is on producing Threat Intelligence reports on financially motivated targeted attacks.